Digital Networks Act and CSA 2.0: key implications for telecoms and digital infrastructure

These proposals will affect telecom providers and operators, satellite operators, corporate end-users of electronic communications services, and digital infrastructure and technology service providers as users:

• The Proposal for a Regulation on a Digital Networks Act, published on January 21, 2026, will repeal and replace four existing legal instruments: the European Electronic Communications Code (EECC), the BEREC Regulation, the Radio Spectrum Policy Program, core parts of the Open Internet Regulation and of the ePrivacy Directive, merging them into a single, directly applicable Regulation. The DNA aims to modernize EU telecom rules by introducing rules on fiber transition, spectrum, satellite authorizations, cybersecurity, and infrastructure resilience.
• The revised Cybersecurity Act (CSA 2.0), published on January 20, 2026, will repeal and replace the original Regulation (EU) 2019/881. Understanding the CSA is essential to explaining the DNA because the latter makes compliance with CSA supply-chain security measures a condition for general authorizations and spectrum rights, linking the two proposals directly and reinforcing EU-level cybersecurity requirements across the telecoms sector.
• The Commission also published on January 20, 2026 a proposal for targeted amendments of NIS2. The NIS2 Directive will likewise be affected by these frameworks; however, given the focus of this alert on the CSA/DNA interplay for telecom and satellite sectors, NIS2-related aspects are not further elaborated at this stage.

Why these changes?

The 2018 Directive on the European Electronic Communications Code governs the roll-out and operations of telecom in Europe. However, as a directive, it has led to national fragmentation in areas such as general authorizations and spectrum allocation. The Commission's stated objectives are to modernize EU telecom rules to address digitalization of networks, increasing connectivity demand driven by AI, cloud, and edge computing, and growing cybersecurity concerns, whilst strengthening the EU single market for electronic communications.

Main changes introduced by the proposals

1. Supply chain cybersecurity as a condition for market access

The DNA and the CSA 2.0 make the right to provide electronic communications networks and services subject to compliance with the supply chain cybersecurity imposed by the CSA 2.0.

The Commission is empowered to designate high risk vendors, countries posing cybersecurity risks, key ICT assets, and impose mandatory mitigation measures to targeted NIS2 entities. CSA 2.0 already lists key ICT assets for fixed, mobile and satellite networks. Providers would be prohibited from using components from or including parts from designated high-risk vendors in key ICT assets and required to phase them out.

Mandatory mitigation measures may include mandatory diversification of ICT components, restrictions on contractual and operational relationships, prohibitions on third country access, enhanced transparency and auditing requirements.

The CSA 2.0 introduces strict financial and operational penalties, in case of non-compliance, including fines of up to 7% of the total worldwide annual turnover, depending on the breach. Persistent non‑compliance may ultimately result in withdrawal of the right to provide networks or services under authorization or use spectrum rights.

2. Harmonization of general authorizations and single passport procedure

The DNA introduces a harmonized set of conditions for general authorizations, including compliance with cybersecurity and resilience measures.

A single passport procedure would facilitate the cross-border provision of electronic communications networks and services across multiple member states with a single notification and confirmation. The measures would provide for a more uniform and efficient process for market entry and expansion across Europe.

3. Use-it-or-share-it principle and duration of spectrum rights

The DNA introduces a “use-it-or-share-it” principle, forcing spectrum holders to use their rights or share them, as well as an unlimited duration of spectrum rights, with the possibility for member states to revoke or limit individual spectrum rights under certain conditions. Limited individual rights would be automatically renewed upon the holder’s request.

These changes are intended to offer greater investment predictability for spectrum holders.

4. Fiber to copper transition

The DNA states that national regulatory authorities must identify specific geographic copper switch-off area (CSO areas). The DNA mandates a copper switch off in such CSO areas two phases, subject to safeguards for end-users: (i) before December 31, 2035, copper switch-off is mandated in CSO areas meeting two cumulative requirements (i.e., 95% fiber coverage and availability of affordable retail connectivity services) and (ii) in all other CSO areas copper switch-off is mandated by December 31, 2035.

While the focus now definitively switched to fiber networks, the Commission still maintains that infrastructure competition is the holy grail to foster effective competition. Consequently, the member states should ensure that the entry or roll-out of a new network can take place in a fair, efficient, and environmentally responsible way and independently of any obligation on an undertaking designated as having significant market power to grant access to its electronic communications network.

This may lead to an increased push for the sharing of passive infrastructure, which also coincides with a push for remedies being imposed, where possible, before the roll-out of infrastructure, for the development of flexible and open network architecture, which would reduce eventually the burden and complexity of remedies imposed at a later stage.

5. Competition law aspects

Market regulation

• The DNA maintains the significant market power (SMP) concept as the key concept for the ex-ante regulatory framework, including the three‑criteria test and five‑year market review cadence, but it further simplifies it aligns it with the “dominant position” concept under EU competition law.
• Certain EECC SMP‑specific mechanisms that saw limited or complex use—most notably the co‑investment deregulation option and functional/voluntary separation provisions for vertically integrated SMP operators—are removed to simplify the procedural options and avoid delays in regulation/deregulation.
• The DNA largely maintains the remedy framework, favoring less intrusive interventions (such as passive access) over price control and cost accounting (see above regarding the push for remedies being imposed before the roll-out of infrastructure).
• Nevertheless, the commitments procedure is further streamlined focusing on allowing NRAs to market‑test and make commitments binding.
• If a market is deregulated, the NRA should determine a transition period taking into account existing access agreements.
• There will be an increased focus on NRAs finalizing their market reviews promptly, to limit any period or regulatory uncertainty, and to force them to keep up with technological developments.

The goal of the refinement of the SMP system is to result in a faster, more predictable, investment‑friendly SMP regulation with fewer intrusive remedies, while still addressing competition harms effectively.

6. State aid

The DNA repeals the sector-specific universal service designations, and calculation mechanisms for compensation for the provision of such universal services for electronic communications. Instead, public compensation for universal service obligations should follow the normal state aid framework, including the SGEI-rules.

Member states will have more flexibility in choosing the method of financing, in line with the options currently available in state aid practice.

7. Net neutrality and consumer protection

Net neutrality rules are largely preserved, but an additional condition to limit technology neutrality where necessary to safeguard public safety, national security or other overriding public‑interest objectives. Operators would have to report every two years on open internet measures and justify any traffic management measures.

Consumer protection provisions are streamlined and harmonized, requiring enhanced measures against fraudulent and malicious activities.

8. Voluntary conciliation procedure

The DNA establishes a voluntary conciliation procedure to facilitate dialogue on technical and commercial arrangements between providers of electronic communications networks and other undertakings. While not mandatory, this mechanism might be used to address network contribution issues and foster cooperation.

Next steps

The reaction to the DNA reveals disagreement over whether the Commission’s proposal is sufficient to address Europe’s network problems.

The major telecom operators have broadly welcomed elements that move the sector toward greater EU‑level harmonization, particularly the “single passport” for cross‑border operations and the longer‑term spectrum licensing.

Their concerns—as well as those of smaller market players—however, focus on the lack of sufficient simplification and investment incentives, especially for the switch to fiber.

In terms of timeline, the DNA and CSA 2.0 proposals will now proceed to the European Parliament and Council for negotiation under the ordinary legislative procedure.

Key takeaways for businesses

Businesses operating in the EU telecom and digital infrastructure sectors should closely track the legislative process and begin preparing for compliance with the new framework. In particular:

• Prepare for stricter supply chain cybersecurity requirements and potential, vendor phase-outs, and heightened expectations regarding regulatory and authority scrutiny.
• Leverage streamlined authorization and spectrum procedures for cross-border operations.
• Plan for mandated fiber transition and associated investments.